[Samba] dc1 stopped replicate after kutil change
John Farmer
jfarmer at industrialinfo.com
Thu Jul 8 14:34:10 UTC 2021
We are having an issue with replication after a kutil change was made.
Replication from dc1 to dc2-12 is failing:
samba-tool drs showrepl
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for
ncacn_ip_tcp:10.243.0.90[49153,seal,target_hostname=dc1.ad.companyname,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.243.0.90]
NT_STATUS_LOGON_FAILURE
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to
dc1.ad.companyname failed - drsException: DRS connection to
dc1.ad.companyname failed: (3221225581, 'The attempted logon is
invalid. This is either due to a bad username or authentication information.')
File "/usr/lib64/python3.6/site-packages/samba/netcmd/drs.py",
line 55, in drsuapi_connect
(ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions)
= drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
File "/usr/lib64/python3.6/site-packages/samba/drs_utils.py", line
63, in drsuapi_connect
raise drsException("DRS connection to %s failed: %s" % (server, e))
With further debug we found this error:
Failed to get kerberos credentials: kinit for DC1$@AD.companyname
failed (Preauthentication failed)
Wrong username or password: kinit for DC1$@AD.companyname failed
(Preauthentication failed)
kinit -V -k -t /etc/krb5.keytab DC1$@AD.companyname
Using default cache: /tmp/krb5cc_0
Using principal: DC1AD.companyname at AD.companyname
Using keytab: /etc/krb5.keytab
kinit: Keytab contains no suitable keys for
DC1AD.companyname at AD.companyname while getting initial credentials
kinit -V -k -t /etc/krb5.keytab
kinit: Cannot determine realm for host (principal host/dc1.ad.companyname@)
Looks like someone made some changes using adcli, we can't quite
figure out what is going on.
this issue is only on dc1 not on any of the other dc's
More information about the samba
mailing list